We will be updating this site soon to include details of our new version described by Matt Green at Real World Crypto 2014

What is Zerocoin?

Zerocoin is a proposed extension to the Bitcoin payment network that adds anonymity to Bitcoin payments. Just as paper currency once gained its value from being redeemable for gold, zerocoins gain their value from being redeemable for bitcoins. We believe that tools such as Zerocoin are necessary as the current Bitcoin payment network does not offer strong privacy protections. The main idea behind Zerocoin is to place anonymity technology into the Bitcoin network itself. This is substantially different from previous anonymization technologies such as “laundries”, since Zerocoin does not rely on a trusted centralized party that can fail or become corrupted.

What makes Zerocoin different from previous approaches:

  • Zerocoin operates in the Bitcoin network and is implemented as a series of extensions to the existing Bitcoin protocol. This approach means that Zerocoin can be deployed without relying on a central coin issuer or bank (as used in previous e-cash schemes). Moreover, since no single trusted party operates the Zerocoin system, attacks on Zerocoin must take on a substantial fraction of the Bitcoin network.

  • Zerocoin uses provably secure cryptographic techniques to ensure that Bitcoins cannot be traced. These techniques allow users to conduct transactions on the Bitcoin network while receiving strong mathematical guarantees that the transactions cannot be traced. These guarantees remain in place even if a portion of the Bitcoin network is compromised by an attacker.

  • Other anonymous cash systems rely on distributing the work of anonymizing users amongst a set of parties. This approach works well if all parties are fully available but can be subject to “denial of service” attacks where a small number of nodes are taken offline. Because Zerocoin is built on top of Bitcoin, it is widely distributed among all the Bitcoin peers, ensuring that the system can remain available even when many nodes are compromised.

The problem: Bitcoin is not private

The Bitcoin payment network offers a highly decentralized mechanism for creating and transferring electronic cash around the world. Unfortunately, Bitcoin suffers from a major limitation: since transactions are stored in a public ledger (called the “block chain”) it may be possible to trace the history of any given payment — even years after the fact. Worse, since the Bitcoin ledger is public, any party can recover this information and data mine to identify users and patterns in the transactions. In other words: Bitcoin transactions are conducted in public.

The Bitcoin protocol and clients address this in two ways: (1) all Bitcoin transactions are conducted using public keys as identifiers, and these public keys are not linked to individual names. And (2) Bitcoin clients are capable of generating many public keys (“identities”) to help users resist tracking. Unfortunately, a growing body of research indicates that these protections are insufficient. This information may allow data miners to link individual transactions, identify related payments, and otherwise trace the activities of Bitcoin users.

The most common solution to this problem is to use Bitcoin laundries – services that mix together many users’ bitcoins in order to obfuscate the transaction history. Laundries suffer from a number of potential drawbacks, however, as they must be trusted to return coins. Moreover a compromised or malicious laundry offers no anonymity.

How Zerocoin works

Zerocoin operates like a distributed laundry where the laundry is implemented within the Bitcoin network itself.

Zerocoin achieves this by creating a separate anonymous currency that operates side-by-side with traditional Bitcoin on the block chain. Zerocoins can be thought of literally as coins. They’re issued in a fixed denomination (for example, 1 BTC), and any user can purchase a zerocoin in exchange for the correct quantity of bitcoin. This purchase is done by placing a special new “Zerocoin Mint” transaction into the block chain.

Once a Mint transaction has been accepted by the Bitcoin peers, the same user can redeem her zerocoin back into bitcoins. She simply embeds a (preferably new) destination Bitcoin address into a “Zerocoin Spend” transaction, then sends it into the network. If the transaction checks out, the Bitcoin peers will treat it just like a normal Bitcoin transfer – meaning that she’ll receive the full bitcoin value of the coin (minus transaction fees) at the destination address.

The key to this process is to ensure that the bitcoins received at the end of this process are completely unlinked to the bitcoins that were used in the beginning. This is accomplished using a variety of cryptographic components, including digital commitments and zero-knowledge proofs. The end result is that it is mathematically infeasible to link the particular bitcoins used at the beginning and end of this process, other than through educated guesswork.

For a more detailed explanation of the Zerocoin system you can see the original research paper or this blog post that gives a high-level summary.

The road ahead

We have released an alpha version of libzerocoin, a library suitable for integration into Bitcoin clients. See software.

We still need to:

  • Continue to improve the library.
  • Provide a BIP style specification of the Zerocoin protocol
  • Get someone integrate it into bitcoin/litecoin/*coin